From 45bb4e6fe8c5502e2c10cc5a428ed512ed3a7962 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 20 Jul 2017 16:34:57 +0200
Subject: Added various scripts.

---
 scripts/cmcrequest.sh      |  21 +++
 scripts/db-diff.sh         |  15 ++
 scripts/ds-setupssl.sh     | 350 +++++++++++++++++++++++++++++++++++++++++++++
 scripts/httpclient.sh      |  27 ++++
 scripts/sd-tps-remove.sh   |   8 ++
 scripts/tomcatjss-build.sh |  17 ++-
 scripts/ui-update.sh       |  10 ++
 7 files changed, 447 insertions(+), 1 deletion(-)
 create mode 100755 scripts/cmcrequest.sh
 create mode 100755 scripts/db-diff.sh
 create mode 100755 scripts/ds-setupssl.sh
 create mode 100755 scripts/httpclient.sh
 create mode 100755 scripts/sd-tps-remove.sh
 create mode 100755 scripts/ui-update.sh

diff --git a/scripts/cmcrequest.sh b/scripts/cmcrequest.sh
new file mode 100755
index 0000000..c4fe9f7
--- /dev/null
+++ b/scripts/cmcrequest.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PKCS10Client -d ~/.dogtag/pki-tomcat/ca/alias -p Secret.123 \
+  -a rsa -l 1024 \
+  -n "uid=testuser,ou=people,dc=example,dc=com" \
+  -o /tmp/testuser.pem
+
+cat > cmcrequest.cfg << EOF
+numRequests=1
+
+input=/tmp/testuser.pem
+output=/tmp/cmcrequest.out
+
+dbdir=/root/.dogtag/pki-tomcat/ca/alias
+password=Secret.123
+nickname=caadmin
+
+format=pkcs10
+EOF
+
+CMCRequest cmcrequest.cfg
diff --git a/scripts/db-diff.sh b/scripts/db-diff.sh
new file mode 100755
index 0000000..33445cb
--- /dev/null
+++ b/scripts/db-diff.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -x
+
+BRANCH=$1
+SUBSYSTEM=$2
+
+cd ../../pki
+
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/acl.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/database.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/db.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/index.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/manager.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/schema.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/vlv.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/vlvtasks.ldif
diff --git a/scripts/ds-setupssl.sh b/scripts/ds-setupssl.sh
new file mode 100755
index 0000000..ef16856
--- /dev/null
+++ b/scripts/ds-setupssl.sh
@@ -0,0 +1,350 @@
+#!/bin/sh
+
+if [ "$1" -a -d "$1" ] ; then
+    secdir="$1"
+    echo "Using $1 as sec directory"
+    assecdir=$secdir/../admin-serv
+else
+    secdir=/etc/dirsrv/slapd-localhost
+    assecdir=/etc/dirsrv/admin-serv
+fi
+
+if [ "$2" ] ; then
+    ldapport=$2
+else
+    ldapport=389
+fi
+
+if [ "$3" ] ; then
+    ldapsport=$3
+else
+    ldapsport=636
+fi
+
+me=`whoami`
+if [ "$me" = "root" ] ; then
+    isroot=1
+fi
+
+# see if there are already certs and keys
+if [ -f $secdir/cert8.db ] ; then
+    # look for CA cert
+    if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
+        echo "Using existing CA certificate"
+    else
+        echo "No CA certificate found - will create new one"
+        needCA=1
+    fi
+
+    # look for server cert
+    if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
+        echo "Using existing directory Server-Cert"
+    else
+        echo "No Server Cert found - will create new one"
+        needServerCert=1
+    fi
+
+    # look for admin server cert
+    if certutil -L -d $assecdir -n "server-cert" 2> /dev/null ; then
+        echo "Using existing admin server-cert"
+    else
+        echo "No Admin Server Cert found - will create new one"
+        needASCert=1
+    fi
+    prefix="new-"
+    prefixarg="-P $prefix"
+else
+    needCA=1
+    needServerCert=1
+    needASCert=1
+fi
+
+if [ -n "$NO_ADMIN" ] ; then
+    needASCert=
+fi
+
+# get our user and group
+if test -n "$isroot" ; then
+    uid=`/bin/ls -ald $secdir | awk '{print $3}'`
+    gid=`/bin/ls -ald $secdir | awk '{print $4}'`
+fi
+
+# 2. Create a password file for your security token password:
+if [ -n "$needCA" -o -n "$needServerCert" -o -n "$needASCert" ] ; then
+    if [ -f $secdir/pwdfile.txt ] ; then
+        echo "Using existing $secdir/pwdfile.txt"
+    else
+        echo "Creating password file for security token"
+        (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
+        if test -n "$isroot" ; then
+            chown $uid:$gid $secdir/pwdfile.txt
+        fi
+        chmod 400 $secdir/pwdfile.txt
+    fi
+
+# 3. Create a "noise" file for your encryption mechanism: 
+    if [ -f $secdir/noise.txt ] ; then
+        echo "Using existing $secdir/noise.txt file"
+    else
+        echo "Creating noise file"
+        (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
+        if test -n "$isroot" ; then
+            chown $uid:$gid $secdir/noise.txt
+        fi
+        chmod 400 $secdir/noise.txt
+    fi
+
+# 4. Create the key3.db and cert8.db databases:
+    if [ -z "$prefix" ] ; then
+        echo "Creating initial key and cert db"
+    else
+        echo "Creating new key and cert db"
+    fi
+    certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
+    if test -n "$isroot" ; then
+        chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+    fi
+    chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+fi
+
+getserialno() {
+    SERIALNOFILE=${SERIALNOFILE:-$secdir/serialno.txt}
+    if [ ! -f $SERIALNOFILE ] ; then
+        echo ${BEGINSERIALNO:-1000} > $SERIALNOFILE
+    fi
+    serialno=`cat $SERIALNOFILE`
+    expr $serialno + 1 > $SERIALNOFILE
+    echo $serialno
+}
+
+if test -n "$needCA" ; then
+# 5. Generate the encryption key:
+    echo "Creating encryption key for CA"
+    certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+# 6. Generate the self-signed certificate: 
+    echo "Creating self-signed CA certificate"
+# note - the basic constraints flag (-2) is required to generate a real CA cert
+# it asks 3 questions that cannot be supplied on the command line
+    serialno=`getserialno`
+    ( echo y ; echo ; echo y ) | certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m $serialno -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -2
+# export the CA cert for use with other apps
+    echo Exporting the CA certificate to cacert.asc
+    certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
+fi
+
+if test -n "$MYHOST" ; then
+    myhost="$MYHOST"
+else
+    myhost=`hostname --fqdn`
+fi
+
+genservercert() {
+    hostname=${1:-`hostname --fqdn`}
+    certname=${2:-"Server-Cert"}
+    serialno=${3:-`getserialno`}
+    ou=${OU:-"389 Directory Server"}
+    certutil -S $prefixarg -n "$certname" -s "cn=$hostname,ou=$ou" -c "CA certificate" -t "u,u,u" -m $serialno -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+}
+
+remotehost() {
+    # the subdir called $host will contain all of the security files to copy to the remote system
+    mkdir -p $secdir/$1
+    # this is stupid - what we want is that each key/cert db for the remote host has a
+    # cert with nickname "Server-Cert" - however, badness:
+    # 1) pk12util cannot change nick either during import or export
+    # 2) certutil does not have a way to change or rename the nickname
+    # 3) certutil cannot create two certs with the same nick
+    # so we have to copy all of the secdir files to the new server specific secdir
+    # and create everything with copies
+    cp -p $secdir/noise.txt $secdir/pwdfile.txt $secdir/cert8.db $secdir/key3.db $secdir/secmod.db $secdir/$1
+    SERIALNOFILE=$secdir/serialno.txt secdir=$secdir/$1 genservercert $1
+}
+
+if [ -n "$REMOTE" ] ; then
+    for host in $myhost ; do
+        remotehost $host
+    done
+elif test -n "$needServerCert" ; then
+# 7. Generate the server certificate:
+    for host in $myhost ; do
+        echo Generating server certificate for 389 Directory Server on host $host
+        echo Using fully qualified hostname $host for the server name in the server cert subject DN
+        echo Note: If you do not want to use this hostname, export MYHOST="host1 host2 ..." $0 ...
+        genservercert $host
+    done
+fi
+
+if test -n "$needASCert" ; then
+# Generate the admin server certificate
+    for host in $myhost ; do
+        echo Creating the admin server certificate
+        OU="389 Administration Server" genservercert $host server-cert
+        # export the admin server certificate/private key for import into its key/cert db
+        echo Exporting the admin server certificate pk12 file
+        pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+        if test -n "$isroot" ; then
+            chown $uid:$gid $secdir/adminserver.p12
+        fi
+        chmod 400 $secdir/adminserver.p12
+    done
+fi
+
+# create the pin file
+if [ ! -f $secdir/pin.txt ] ; then
+    echo Creating pin file for directory server
+    pinfile=$secdir/pin.txt
+    echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
+    if test -n "$isroot" ; then
+        chown $uid:$gid $pinfile
+    fi
+    chmod 400 $pinfile
+else
+    echo Using existing $secdir/pin.txt
+fi
+
+if [ -n "$REMOTE" ] ; then
+    for host in $myhost ; do
+        cp -p $secdir/pin.txt $secdir/$host
+    done
+fi
+
+if [ -n "$needCA" -o -n "$needServerCert" -o -n "$needASCert" ] ; then
+    if [ -n "$prefix" ] ; then
+    # move the old files out of the way
+        mv $secdir/cert8.db $secdir/orig-cert8.db
+        mv $secdir/key3.db $secdir/orig-key3.db
+    # move in the new files - will be used after server restart
+        mv $secdir/${prefix}cert8.db $secdir/cert8.db
+        mv $secdir/${prefix}key3.db $secdir/key3.db
+    fi
+fi
+
+# create the admin server key/cert db
+if [ ! -f $assecdir/cert8.db ] ; then
+    echo Creating key and cert db for admin server
+    certutil -N -d $assecdir -f $secdir/pwdfile.txt
+    if test -n "$isroot" ; then
+        chown $uid:$gid $assecdir/*.db
+    fi
+    chmod 600 $assecdir/*.db
+fi
+
+if test -n "$needASCert" ; then
+# import the admin server key/cert
+    echo "Importing the admin server key and cert (created above)"
+    pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+
+# import the CA cert to the admin server cert db
+    echo Importing the CA certificate from cacert.asc
+    certutil -A -d $assecdir -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc
+    if [ ! -f $assecdir/password.conf ] ; then
+# create the admin server password file
+        echo Creating the admin server password file
+        echo 'internal:'`cat $secdir/pwdfile.txt` > $assecdir/password.conf
+        if test -n "$isroot" ; then
+            chown $uid:$gid $assecdir/password.conf
+        fi
+        chmod 400 $assecdir/password.conf
+    fi
+
+    if [ -f $assecdir/nss.conf ] ; then
+        cd $assecdir
+        echo Enabling the use of a password file in admin server
+        sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" nss.conf > /tmp/nss.conf && mv /tmp/nss.conf nss.conf
+        if test -n "$isroot" ; then
+            chown $uid:$gid nss.conf
+        fi
+        chmod 400 nss.conf
+        echo Turning on NSSEngine
+        sed -e "s@^NSSEngine off@NSSEngine on@" console.conf > /tmp/console.conf && mv /tmp/console.conf console.conf
+        if test -n "$isroot" ; then
+            chown $uid:$gid console.conf
+        fi
+        chmod 600 console.conf
+        echo Use ldaps for config ds connections
+        sed -e "s@^ldapurl: ldap://$myhost:$ldapport/o=NetscapeRoot@ldapurl: ldaps://$myhost:$ldapsport/o=NetscapeRoot@" adm.conf > /tmp/adm.conf && mv /tmp/adm.conf adm.conf
+        if test -n "$isroot" ; then
+            chown $uid:$gid adm.conf
+        fi
+        chmod 600 adm.conf
+        cd $secdir
+    fi
+fi
+
+# enable SSL in the directory server
+echo "Enabling SSL in the directory server"
+if [ -z "$DMPWD" ] ; then
+    echo "when prompted, provide the directory manager password"
+    echo -n "Password:"
+    stty -echo
+    read dmpwd
+    stty echo
+else
+    dmpwd="$DMPWD"
+fi
+
+ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: cn=encryption,cn=config
+changetype: modify
+replace: nsSSLClientAuth
+nsSSLClientAuth: allowed
+-
+add: nsSSL3Ciphers
+nsSSL3Ciphers: +all
+
+dn: cn=config
+changetype: modify
+add: nsslapd-security
+nsslapd-security: on
+-
+replace: nsslapd-ssl-check-hostname
+nsslapd-ssl-check-hostname: off
+-
+replace: nsslapd-secureport
+nsslapd-secureport: $ldapsport
+
+dn: cn=RSA,cn=encryption,cn=config
+changetype: add
+objectclass: top
+objectclass: nsEncryptionModule
+cn: RSA
+nsSSLPersonalitySSL: Server-Cert
+nsSSLToken: internal (software)
+nsSSLActivation: on
+
+EOF
+
+ldapsearch_attrval()
+{
+    attrname="$1"
+    shift
+    ldapsearch "$@" $attrname | sed -n '/^'$attrname':/,/^$/ { /^'$attrname':/ { s/^'$attrname': *// ; h ; $ !d}; /^ / { H; $ !d}; /^ /! { x; s/\n //g; p; q}; $ { x; s/\n //g; p; q} }'
+}
+
+if [ -n "$needASCert" ] ; then
+    echo "Enabling SSL in the admin server"
+# find the directory server config entry DN
+    dsdn=`ldapsearch_attrval dn -x -LLL -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" -b o=netscaperoot "(&(objectClass=nsDirectoryServer)(serverhostname=$myhost)(nsserverport=$ldapport))"`
+    ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: $dsdn
+changetype: modify
+replace: nsServerSecurity
+nsServerSecurity: on
+-
+replace: nsSecureServerPort
+nsSecureServerPort: $ldapsport
+
+EOF
+
+# find the admin server config entry DN
+    asdn=`ldapsearch_attrval dn -x -LLL -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" -b o=netscaperoot "(&(objectClass=nsAdminServer)(serverhostname=$myhost))"`
+    ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: cn=configuration,$asdn
+changetype: modify
+replace: nsServerSecurity
+nsServerSecurity: on
+
+EOF
+fi
+
+echo "Done.  You must restart the directory server and the admin server for the changes to take effect."
diff --git a/scripts/httpclient.sh b/scripts/httpclient.sh
new file mode 100755
index 0000000..5454ee9
--- /dev/null
+++ b/scripts/httpclient.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+PKCS10Client -d ~/.dogtag/pki-tomcat/ca/alias -p Secret.123 \
+  -a rsa -l 1024 \
+  -n "uid=testuser,ou=people,dc=example,dc=com" \
+  -o /tmp/httpclient.pem
+
+AtoB /tmp/httpclient.pem /tmp/httpclient.bin
+
+cat > httpclient.cfg << EOF
+host=$HOSTNAME
+port=8443
+secure=true
+
+input=/tmp/httpclient.bin
+output=/tmp/httpclient.out
+
+tokenname=internal
+dbdir=/root/.dogtag/pki-tomcat/ca/alias
+clientmode=false
+password=Secret.123
+nickname=caadmin
+
+servlet=/ca/ee/ca/profileSubmit
+EOF
+
+HttpClient httpclient.cfg
diff --git a/scripts/sd-tps-remove.sh b/scripts/sd-tps-remove.sh
new file mode 100755
index 0000000..0922782
--- /dev/null
+++ b/scripts/sd-tps-remove.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+TPSHOST=`cat tps.host`
+
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 -c << EOF
+dn: cn=$TPSHOST:8443,cn=TPSList,ou=Security Domain,dc=ca,dc=pki,dc=example,dc=com
+changetype: delete
+EOF
diff --git a/scripts/tomcatjss-build.sh b/scripts/tomcatjss-build.sh
index 33c2101..0bc8ef1 100755
--- a/scripts/tomcatjss-build.sh
+++ b/scripts/tomcatjss-build.sh
@@ -1,7 +1,22 @@
 #!/bin/sh -x
 
+version=7.2.2
+archive=tomcatjss-$version.tar.gz
+
 SRC_DIR=`cd ../.. ; pwd`
 
 cd $SRC_DIR/tomcatjss
 
-./build_tomcatjss
+git archive --format=tar.gz --prefix tomcatjss-$version/ -o ../tomcatjss-fedora/$archive -v HEAD
+
+cd $SRC_DIR/tomcatjss-fedora
+
+checksum=`sha512sum $archive | awk '{print $1;}'`
+sed -ri "s/SHA512 \($archive\) = .*/SHA512 \($archive\) = $checksum/" sources
+
+#fedpkg local
+
+#dnf reinstall -y ../tomcatjss-fedora/noarch/tomcatjss-$version-*.rpm
+
+#./build_tomcatjss
+#ant install
diff --git a/scripts/ui-update.sh b/scripts/ui-update.sh
new file mode 100755
index 0000000..4862bb7
--- /dev/null
+++ b/scripts/ui-update.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+/bin/cp ../../pki/base/server/share/webapps/ROOT/*    /usr/share/pki/server/webapps/ROOT/
+/bin/cp ../../pki/base/server/share/webapps/pki/*    /usr/share/pki/server/webapps/pki/
+/bin/cp ../../pki/base/server/share/webapps/pki/ui/*    /usr/share/pki/server/webapps/pki/ui/
+/bin/cp ../../pki/base/server/share/webapps/pki/js/*    /usr/share/pki/server/webapps/pki/js/
+
+/bin/cp ../../pki/dogtag/common-ui/shared/css/*     /usr/share/pki/common-ui/css/
+
+/bin/cp ../../pki/base/ca/shared/webapps/ca/* /usr/share/pki/ca/webapps/ca/
-- 
cgit